Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.

“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”

The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.

The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline. 

The increase wasn't visible in every sector, though. Russia-based ransomware gangs did seem to target government organizations and infrastructure at a slightly elevated rate two months out from a country's national election, but Nershi says the total number of attacks on government entities in the data set was small to begin with. The analysis didn't find a statistically significant increase in the number of attacks against organizations in the communications, finance, energy, and utility sectors leading up to elections. But because of the overall increase in attacks across all types of organizations, the researchers theorize that there may be a spillover effect that the Russian government's general increase of cyber activity in the lead-up to an election in one of the six countries indirectly fuels ransomware attacks.

“We are theorizing that there seems to be some level of loose ties between these ransomware groups based in Russia and the Russian government,” Nershi said, "In that they are criminal organizations, they’re in it for profit, but it seems like occasionally the Russian government will ask them for favors, and they’ll agree to operate on this sort of ad hoc basis."

The research aligns with other recent analyses and information, including details from a massive trove of chat logs leaked earlier this year that showed how the notorious Conti ransomware group operates. The data indicated that Conti members very likely have connections within Russia's FSB intelligence agency and knowledge of Russian military hacking operations, painting a picture of loose and ad hoc cooperation. 

“What the groups get out of it is generally not being prosecuted. And for the Russian government, it can allow them to outsource to some degree certain tasks in a way that gives them plausible deniability,” Nershi says. "As I perceive it, it's a strange, nebulous, ambiguous relationship."